optic-release-automation-app is a helper application manages release and PRs creation/publishing. This app is intended to be used with optic-release-automation-action.
- Install the GitHub App optic-release-automation on the repositories or the organization where you want to use the action
optic-release-automation-actionin your GitHub action workflow as documented here
This application is a companion to the GitHub action optic-release-automation-action.
When used in a GitHub workflow, the action invokes this application to delegate creating of pull request for the new release.
The reason why an external application is needed to automate this is because events triggered by the
GITHUB_TOKEN will not create a new workflow run. Learn more:
Hence we need a separate Github App that does not rely on the
GITHUB_TOKEN and can generate one when needed.
How it works
- optic-release-automation GitHub app is installed on the target repository/organization.
- This allows the GitHub app to create relevant token for the requesting repository.
- optic-release-automation-action GitHub action is used in a workflow and it delegates to this app the responsibility of creating the pull request using a HTTP request.
- The action provides the
GITHUB_TOKENsecret to the GitHub app as the authentication token.
- The GitHub app uses the token to infer which repository is being targeted (i.e. the requesting repository), thereby preventing misuse.
- Once the GitHub app has verified that the provided token has access to the target repository, it uses its own credentials to create the pull request
The approach used by this mechanism is secure.
- It does not serve to unauthenticated requests.
- It expects a
GITHUB_TOKENthat's scoped to the repository and is valid for the duration of the workflow execution to infer the target repository, to prevent anybody from sending a malicious request.
- It does/can not do anything besides opening a pull request.
So if somebody has a token for your repository, and they invoke the GitHub app's HTTP API with correct request body, they can do nothing but open a pull request from a branch that "already exist" in your repo.